WebApp Sec mailing list archives
RE: [WEB SECURITY] Re: SQL In the Request
From: "Jeff Robertson" <jeff.robertson () digitalinsight com>
Date: Fri, 6 Oct 2006 08:21:56 -0400
-----Original Message----- We've got great APIs for avoiding things like buffer overflows and SQL injection, and maybe eventually people will be taught to use them from day one. OTOH, most of the APIs I've seen for dealing with HTML don't do a particularly good job of preventing HTML injection vulnerabilities. Are there any well-designed APIs in this area? What would one look like?
The J2EE frameworks like Struts and JSF go a long way, if the developer can be forced by coding standards to use ONLY the frameworks tags and not hack around them with scriptlets. In Struts: <bean:write name="foo" property="bar" /> Does the same thing as: <%= foo.getBar() %> ..except that the latter is vulnerable to XSS and the former isn't. ------------------------------------------------------------------------- Sponsored by: Watchfire Watchfire has new programs available for pen testers and consultants to use AppScan in client engagements. AppScan is the leading Web application assessment tool. Want to see it for yourself? Take a look today! https://www.watchfire.com/securearea/appscancamp.aspx?id=701500000008YSz --------------------------------------------------------------------------
Current thread:
- RE: [WEB SECURITY] Re: SQL In the Request Ory Segal (Oct 05)
- RE: [WEB SECURITY] Re: SQL In the Request Rowland (Oct 09)
- <Possible follow-ups>
- RE: [WEB SECURITY] Re: SQL In the Request Erez Metula (Oct 05)
- RE: [WEB SECURITY] Re: SQL In the Request Nish Bhalla (Oct 05)
- Re: [WEB SECURITY] Re: SQL In the Request bugtraq (Oct 05)
- Re: [WEB SECURITY] Re: SQL In the Request bryan allott (Oct 09)
- RE: [WEB SECURITY] Re: SQL In the Request Jeff Robertson (Oct 09)
- Re: [WEB SECURITY] Re: SQL In the Request bryan allott (Oct 09)
- Re: [WEB SECURITY] Re: SQL In the Request Rick Zhong (Oct 09)
- Re: [WEB SECURITY] Re: SQL In the Request bryan allott (Oct 09)